Donncha Ó Cearbhaill stared at his Signal screen one day earlier this year. The message looked official. “Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak.” It continued with warnings of attempts to access his private data. Then came the request. Enter a verification code to fix it. Don’t tell anyone the code. Not even Signal employees.
He knew better. Ó Cearbhaill heads Amnesty International’s Security Lab. His work focuses on exposing spyware used against activists and journalists worldwide. This time the hunters became the hunted. But he flipped the script. What followed was a rare look inside a persistent Russian operation aimed at hijacking encrypted chats.
The tactics were straightforward. Pose as Signal support. Scare the target with talk of leaks or breaches. Coax out a code or a click that links the account to a device the attackers control. Once in, they could read messages, scan contact lists, impersonate the victim and launch fresh attacks from a trusted name. No need to crack encryption. Just trick the user.
Ó Cearbhaill shared the details in posts on X. He counted himself among more than 13,500 targets identified so far. The real number sits higher. The campaign rolls on. TechCrunch first reported how he traced the effort to a system called ApocalypseZ. Its code and operator screens run in Russian. The attackers even translate victims’ conversations into Russian for review. Those markers line up with other evidence pointing to Russian government involvement.
This wasn’t an isolated probe. It mirrors warnings issued months earlier by multiple Western agencies. In March the FBI and CISA put out a joint alert. They described phishing campaigns tied to Russian Intelligence Services. The targets? People of high intelligence value. Current and former U.S. officials. Military members. Politicians. Journalists. The operation had already swept up thousands of accounts globally. Compromised users became vectors for more phishing. “After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity,” the agencies stated in their public service announcement.
Dutch intelligence sounded the alarm even earlier that month. The AIVD and MIVD accused Russian state actors of a large-scale global effort against Signal and WhatsApp. Hackers posed as support chatbots. They exploited the linked devices feature. They didn’t break the apps. They abused human trust. “It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted,” said Simone Smit, Director-General of the AIVD. Her Dutch counterpart echoed the caution. End-to-end encryption means little if operators hand over access.
German outlets saw the damage up close. Der Spiegel reported that Russian hackers had compromised accounts belonging to several people in the country. High-profile politicians were among them. The breach raised fresh worries inside Berlin about espionage on domestic soil.
Ó Cearbhaill’s targets overlapped with his own network. Journalists he collaborated with. A colleague. The pattern suggested a snowball effect. Hack one person in a group chat. Harvest the participant list. Move to the next. Opportunistic. Scalable. Automated through ApocalypseZ to hit thousands with little manual effort.
Signal itself has pushed back. The company issued warnings about these phishing attempts. It stresses that its systems remain intact. The risk lies with users. Enable Registration Lock. Set a PIN that blocks new device registrations without it. Verify group participants. Ignore unexpected requests for codes. Treat strange messages with suspicion even if they appear to come from known contacts.
Yet the operation continues. No signs of slowdown. Russian services appear undeterred by the public exposures. Their interest in Signal makes sense. The app’s reputation for security draws officials, dissidents and reporters who want private conversations. Capturing those chats yields intelligence without technical wizardry. Just social engineering at scale.
Ó Cearbhaill doesn’t expect another direct attempt on him. “Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up,” he said. He even offered a wry invitation. “I welcome future messages, especially if they have zero-days they would like to share.”
The episode reveals something larger. State hackers no longer need sophisticated malware or zero-day exploits in every case. They succeed by exploiting the weakest link. The person holding the phone. And when that person works in spyware defense? The intelligence harvest could prove especially rich. Contacts. Ongoing investigations. Names of sources.
Agencies from the UK, Netherlands, Germany and the United States have all flagged the same behavior. Their coordinated warnings reflect shared concern. This isn’t a fleeting nuisance. It’s a sustained collection program aimed at Western governments, militaries and the press. The automation tools lower the bar. One operator can oversee attacks on thousands.
Defenders recommend basic steps. Enable registration locks. Use disappearing messages for sensitive topics. Verify out-of-band when something feels wrong. Report suspicious contacts. But many high-value targets juggle multiple devices and urgent communications. The pressure to respond quickly creates openings.
Ó Cearbhaill keeps watching. The campaign’s infrastructure remains active. New targets appear. Each compromise feeds the next wave. Russian operators translate chats, review contacts and expand their reach. The cycle repeats.
For an investigator who spends his days tracking mercenary spyware vendors and state implants, this personal brush carried irony. The attackers picked the wrong inbox. Instead of gaining a foothold they handed over clues. Their automation system. Their language settings. Their translation habits. Evidence that strengthens the attribution they likely hoped to avoid.
The broader lesson sticks. Encrypted apps protect content in transit. They cannot protect against the user being fooled. As long as humans manage the keys, determined state actors will keep trying to borrow them. And researchers like Ó Cearbhaill will keep exposing the attempts. One message at a time.
WebProNews is an iEntry Publication